Why cybersecurity experts can never rest

Online arms race continues apace

By William Jackson

Aug 23, 2010

The Web threat landscape is becoming increasingly dynamic and opportunistic as hackers continue to adapt to new online functionality and trends, according to a report on online security from Zscaler, a security firm that specializes in cloud computing.

“While the goals have not changed, the techniques continue to evolve,” wrote Michael Sutton, the company's vice president of security research, in the "State of the Web" report for the second quarter of 2010. “The attacks that we're seeing are increasingly dynamic in nature, continually shifting locations and swapping out payloads to avoid detection.”

Attackers are using social networking functionality, exploiting current events and using techniques such as fast flux to quickly change the Domain Name System resolution for IP addresses, a tactic that allows them to evade blacklists that block malicious sites. The trends are not new, but they illustrate the continued threat posed by increasingly professional criminals with access to a growing kit of malicious tools available in the underground market.

“Attackers are quickly moving content to different locations in order to ensure that enterprises cannot simply protect themselves by blocking a specific range of IP addresses,” the report concludes. “It is clear that security vendors must be able to quickly adapt and inspect Web-based content on-the-fly in order to identify and secure against emerging threats in this continually evolving environment.”

Legal inroads are being made against organized online crime. The Secret Service announced last week that Vladislav Anatolieviech Horohorin, known online as BadB, had been arrested by French authorities on U.S. federal indictments for access-device fraud, aggravated identity theft, and aiding and abetting. According to Secret Service officials, Horohorin was one of the founders of CarderPlanet, which the agency called “one of the most sophisticated organizations of online financial criminals in the world.” The site allegedly is operated by cyber criminal organizations to traffic counterfeit credit cards and false ID information and documents. The site provides a forum for purchasing stolen data and credentials as well as attack tools.

But criminals are resilient and continue to take advantage of current events, such as the recent World Cup tournament and Apple’s release of the iPad, and of new functionality, such as Facebook's “Like” button. Zscaler described Likejacking schemes in which invisible buttons use clicks anywhere on a Web page to drive advertising by raising its Facebook profile.

The increasingly popular Twitter is also a rich target for phishing attacks as malicious third parties solicit Twitter account information with offers to increase the number of the account’s followers.

In addition, criminals are using search engine optimization techniques to drive malicious Web sites to the top of search results on major search engines, including Google, Bing and Yahoo, Zscaler found.

The United States remains by far the top country for malicious IP addresses identified by Zscaler in the second quarter, despite dropping from 62 percent of malicious addresses in April to 48 percent in June. All the other leaders are in the single digits. China and Germany were tied for second place with 7.11 percent each.

However, those figures likely say more about the number of computers and the rate of Internet use in a country than about where attacks originated.

The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

Reader comments

Mon, Aug 23, 2010
Jeffrey A. Williams
Frisco Texas

Fast-fluxing has been a problem for years now and frequently indenified with usual bad behaving Domain Name holders, yet ICANN whom has been aware of this problem for some time has not taken the actions it could and arguably should have taken to deal with these Domain Names and their Registrars accordingly. As such the behavior of same has been indirectly encouraged and now thrives with relitive impunity.

Mon, Aug 23, 2010
Eirik Iverson
Chantilly, Virginia

Protecting computers from cyber crime is a cat and mouse game as this article clearly implies. For years, AV vendors relies solely upon virus definitions (i.e., signatures) to detect malware. Multiple lab tests show that the effectiveness of signature-based only detection is below 20%. So, the AV vendors responded by adding URL blacklisting whereby the AV will warn/block a user attempting to visit such a site. As expected, the cyber criminals are responding.
The net result in the government and the commercial sector is that undiscovered malware operates freely on enterprise PCs for weeks to months, or until re-imaging.
So, ask yourself this about your PC as well as others in your organization. What would be the harm in loaning your PC to an Internet cafe where anyone may use it? What information rests in your PC and what information resources can your PC access?
If this poses unacceptable risks/harms, then you and your organizations IT personnel need new tools. Search with the following keywords: enterprise zero day malware protection. You'll learn more about the problem and more importantly you'll learn more about the solution.

Mon, Aug 23, 2010
Sotiris

I have been preaching about this for many years to everyone. The problem is that the majority of C-Level IT folks are simply incompetent, having very little if any IT background education and/or experience.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.